Posted on May 18, 2021 at 5:03 PM
A division of insurance giant AXA has suffered a massive ransomware attack, according to recent reports.
The attack targeted AXA’s operations in the Philippines, Hong Kong, Malaysia, and Thailand. This is coming only a few days after the company announced it will no longer provide insurance cover to damages resulting from a ransomware attack in France.
According to the report, the ransomware attack is believed to have been carried out by the Avaddon ransomware gang, who claimed they stole 3 TB of data, including medical records and personal data, from the attack.
AXA in damage control operation
AXA has confirmed the attack, but it claims that the threat actors did not access any other data apart from those in IPA in Thailand. It also stated that the company has organized a dedicated task force to investigate the situation and prevent any further damage the incidence could cause.
AXA also explained that it takes data privacy seriously, and would take the necessary notification steps if IOA’s investigations revealed that sensitive data was stolen.
It said it will inform all individuals and corporate clients impacted by the attack to prevent more damage.
AXA has been given three days to meet the ransom demand
It’s still not clear what the motivation of the Avaddon ransomware gang was. But they have already contacted the Major Europe-based insurer, given it three days to meet their ransom demands or risk exposing its data to the public.
A spokesperson for AXA Partners stated the threat actors were able to access some data processed by Intel Partners in Thailand.
According to members of the Avaddon group, the stolen files include information like ID cards, passports, bank account information, payments to customers, customer claims, contracts, as well as denied reimbursements. The gang also posted samples of the data as proof.
A researcher at DomainToools Chad Anderson stated that the Avaddon ransomware actors have shared a screenshot of their list of targets and the deadline they have before the ransom is paid.
The companies on the list include AXA Group, Acer Finance, PT Angkasa, Henry Oil & Gas, insurance broker Letton Percival, software company Vistex, and computer hardware company ECGA.
A revenge mission
Last week, both the Australian Cyber Security Center and the FBI released an advisory on the tactics of the Avaddon.
The cyber insurance company recently stopped offering insurance contracts that involve the payment of indemnity from ransomware payments. The decision was in line with the French regulator, who thinks the level of ransomware theft has increased due to the availability of claims on such incidents. The French body argued that organizations are becoming too open to give in to ransom demands since there is an insurance cover for such a situation.
Security specialist at Comparitech, Brian Higgins, suggested that that ransomware attack could be a revenge mission for the company’s change in policy.
Ransomware groups are growing in skills
Since June last year, the Avaddon group has released data on several corporate victims on their dark web. The number has increased since ransomware operators started using double-extortion techniques on their victims.
The recent ransomware incident on AXA is an indication that ransomware groups have continued to grow in their methods and skills to launch different attacks on targets.
AXA did not mention how much the group is demanding for ransom or whether it will meet their demand.
The level of ransomware attacks in Europe is increasing, with France-based companies one of the most targeted in the region.
Authorities have always been against the idea of meeting the ransomware demands of the threat actors because it fuels more attacks. If the attackers believe their unscrupulous business is paying, they will keep on launching several attacks to continue their extortion.
An AXA spokesperson noted that the company’s suspension of marketing is in the right direction. It will allow AXA to complete the investigation and clarify any pending issues caused by the threat actors.